Skip to content

Commit a6ed6a6

Browse files
feat: add fallback to process inspection so it doesn't fail on high privilege processes
1 parent f14fe05 commit a6ed6a6

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

main.cpp

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,17 @@ CloseHandle(hSnapshot);
306306

307307
void PIDinspect(DWORD pid) { // ooh guys look i'm in the void
308308
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
309+
// The above little handle opener is currently a somwehat "agressive" flag, since it
310+
// Requests read access directly to the process' actual memory. This can get us rejected if called
311+
// on a very high privilege process, such as lsass.exe This means that we can't read the memory
312+
// even WITH SeDebugPrivilege enabled. Windows doesn't want ya sneaking around in that!
313+
// So for that reason, I've added a fallback that only requests limited memory access,
314+
// which should hopefully allow us to read some informatoin about hte process
315+
if (!hProcess && GetLastError() == ERROR_ACCESS_DENIED) {
316+
// This lets us know if the error was denied specifically for access reasons. THis will initiate our little fallback.
317+
hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); // poor little guy getting limited of his full power
318+
// This has been tested and it does let us get info about lsass.exe and even System! Woohoo!
319+
}
309320
if (!hProcess) {
310321
if (IsVirtualTerminalModeEnabled()) {
311322
std::cerr << "\033[1;31mError:\033[0m Could not open process with PID "

0 commit comments

Comments
 (0)